b'AUDIT OF THE DATA INTEGRITY OF THE\n  COMMERCIAL DRIVER\xe2\x80\x99S LICENSE\n   INFORMATION SYSTEM (CDLIS)\n   Federal Motor Carrier Safety Administration\n\n\n          Report Number: FI-2009-067\n           Date Issued: July 30, 2009\n\x0c           U.S. Department of\n                                                           Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report on the Audit of the Data                               Date:    July 30, 2009\n           Integrity of the Commercial Driver\xe2\x80\x99s License\n           Information System\n           Report Number: FI-2009-067\n\n  From:    Rebecca C. Leng                                                    Reply to\n                                                                              Attn. of:   JA-20\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n\n    To:    Acting Deputy Administrator,\n           Federal Motor Carrier Safety Administration\n\n           This report presents the results of our audit of the data integrity of the Commercial\n           Driver\xe2\x80\x99s License Information System (CDLIS), as required by the Safe,\n           Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users\n           (SAFETEA\xe2\x88\x92LU). The Federal Motor Carrier Safety Administration (FMCSA), a\n           component of the Department of Transportation (DOT), is responsible for\n           oversight of CDLIS.\n\n           SAFETEA\xe2\x88\x92LU required that we perform a baseline audit that includes an\n           assessment of the validity of the data in CDLIS and an analysis of the revenues\n           derived from the use of CDLIS. SAFETEA\xe2\x88\x92LU also required the Secretary to\n           develop and publish a comprehensive national plan to modernize CDLIS that\n           complies with applicable Federal information technology standards. Last summer,\n           we issued a report presenting our analysis of derived revenues. 1 This report\n           primarily addresses the validity of CDLIS data and security issues. Accordingly,\n           we assessed (1) whether convictions received from the courts were recorded in a\n           timely manner, (2) whether CDLIS and state department of motor vehicles (DMV)\n           systems were adequately secured, and (3) the adequacy of contingency plans to\n           ensure continued CDLIS service to DMVs following a disaster or other\n           emergency.\n\n           1\n               Use of Income Derived from the Commercial Driver\xe2\x80\x99s License Information System for Modernization,\n               Report Number MH-2008-059, July 10, 2008.         OIG reports are available on our website:\n               www.oig.dot.gov.\n\x0c                                                                                                   2\n\nTo address our objectives, we tested a statistical sample of licensed commercial\ndrivers having convictions; and we visited nine state DMVs and interviewed key\nofficials concerning the sampled items, system security, and contingency planning.\nOur work also included interviews with FMCSA personnel and contractors, as\nwell as reviews of technical documentation and departmental policy. We\nconducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform\nthe audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives. Exhibit A provides further details of our scope and\nmethodology.\n\nBACKGROUND\n\nThe Office of Inspector General (OIG) issued reports on the Commercial Driver\xe2\x80\x99s\nLicense (CDL) Program in 2000, 2002, and 2006. 2 The first report focused on the\ndisqualification of commercial drivers, noting that out-of-state convictions were\nnot transmitted to licensing states in a timely manner. This report also concluded\nthat states did not disqualify commercial drivers, as required by law, and granted\nlicenses to commercial drivers who posed a safety risk. The 2002 and 2006\nreports focused predominantly on fraudulent licensing. Last year, as mentioned,\nwe reported on the use of income derived from CDLIS for system modernization,\nas required by SAFETEA-LU. These reports contain recommendations to\nimprove CDL program oversight.\n\nCongress found that one of the leading factors operating against commercial motor\nvehicle safety was the possession of multiple licenses by commercial drivers.\nDrivers with multiple licenses spread their traffic violations over a number of state\nlicenses to maintain a good-driver rating, regardless of the number of violations\nthey acquire in one or more states. In response to states\xe2\x80\x99 concerns, the\nCommercial Motor Vehicle Safety Act of 1986 (CMVSA) directed DOT to\nestablish minimum standards for licensing, testing, qualification, and classification\nof commercial drivers. CMVSA also prohibited commercial drivers from\npossessing more than one commercial license. The goal of CMVSA was to\nimprove highway safety by removing unsafe and unqualified drivers from the\nhighways, including ensuring that drivers of large trucks and buses were qualified\nto operate those vehicles.\n\n2\n    Disqualifying Commercial Drivers, Report Number MH-2000-106, June 30, 2000; Improving Testing and\n    Licensing of Commercial Drivers, Report Number MH-2002-093, May 8, 2002; and Oversight of the\n    Commercial Driver\xe2\x80\x99s License Program, Report Number MH-2006-037, February 7, 2006.\n\x0c                                                                                                     3\n\n\nCMVSA further required that the Secretary of Transportation establish a\nnationwide information system for exchanging driver-related data among the\nstates. CDLIS, administered by the American Association of Motor Vehicle\nAdministrators (AAMVA) under a memorandum of understanding with FMCSA,\nwas developed to meet this mandate. CDLIS is a central database that stores each\ncommercial driver\xe2\x80\x99s name, date of birth, Social Security number, and the\njurisdiction in which the driver is licensed (state of record). Currently, CDLIS\nmaintains this information for about 13 million active and inactive commercial\ndrivers. CDLIS does not contain driver histories itself; rather, it directs such\ninquiries to the state of record. This history should contain all driving convictions\nan applicant may have. Completeness of this information depends on the courts\xe2\x80\x99\nproviding DMVs with accurate conviction data, and DMVs\xe2\x80\x99 timely updating of\ntheir driver histories.\n\nState officials use CDLIS to connect with other state DMV systems to check an\napplicant\xe2\x80\x99s driving history prior to issuing a commercial driver\xe2\x80\x99s license. In\naddition, CDLIS is accessed by about 5,000 state inspectors to perform roadside\ninspections; they gain access to CDLIS through a Web application system\ndeveloped by FMCSA called CDLIS-Access.\n\n\nRESULTS IN BRIEF\n\nFMCSA has taken measures to strengthen the CDL program, but additional action\nis necessary to increase the safety of the Nation\xe2\x80\x99s highways. First, DMVs are still\nexperiencing delays in posting convictions to their driver history records for\nCDLIS users\xe2\x80\x99 access. This continues to impede DMVs\xe2\x80\x99 ability to suspend or\nrevoke problem drivers\xe2\x80\x99 commercial-driving privileges in a timely manner.\nSecond, FMCSA and state DMVs have implemented password security measures\nto prevent unauthorized access to driver records and privacy information.\nHowever, deficiencies in security controls persist.           Specifically, system\n                                        3\ncertification and accreditation reviews have not been completed, and states lag in\ndeveloping and implementing comprehensive security policies and procedures to\nbetter protect DMV systems. Third, enhanced contingency planning and testing of\nboth CDLIS-Access and state DMV systems\xe2\x80\x94to ensure uninterrupted CDL\nservices after an emergency\xe2\x80\x94has not fully occurred. As a result, users of these\nsystems are vulnerable to service disruption. We are making a series of\n\n\n3\n    Certification and accreditation reviews seek to provide assurance that systems are using the proper\n    security controls to ensure adequate protection of the data they maintain.\n\x0c                                                                                                           4\n\nrecommendations, beginning on page 7, to improve the timeliness of conviction\nposting, CDLIS system security, and contingency planning.\n\n\nSTATES ARE NOT POSTING COMMERCIAL DRIVER\nCONVICTIONS IN A TIMELY MANNER\n\nOur sample indicates that there are an estimated 500,000 active commercial\ndrivers with out-of-state convictions for the 50 states and the District of Columbia.\nWe focused on this group specifically because CDLIS is the primary method by\nwhich conviction data are sent between states. Based on our sample (253\nrandomly-selected drivers with convictions across nine states), we project that 20\npercent of the active CDL\xe2\x88\x92holders (99,000) had convictions that were not posted\nwithin the time frames established by FMCSA regulations. 4\n\nWhile some states in our review have taken action in an attempt to mitigate\nposting delays, such as automating the electronic interchange of data between\ncourts and DMV, delays in courts\xe2\x80\x99 data submissions remain problematic.\nAccording to state representatives, late receipt of convictions from courts prevents\nthem from posting conviction data within FMCSA\xe2\x80\x99s time frames. As a result, at\nthe time of license issuance or renewal, DMVs may not have all information\navailable with which to make an informed decision on whether a license should be\ngranted, thereby possibly permitting an unqualified driver on the road. In\naddition, without a complete driver conviction history, DMV systems would not\nbe able to provide information needed to effectively enforce Federal regulations to\nensure that a driver\xe2\x80\x99s commercial license is suspended or revoked for a specific\ntraffic conviction.\n\n\nCDLIS AND SOME STATE SYSTEMS ARE NOT ADEQUATELY\nPROTECTING DRIVER DATA\n\nNeither FMCSA nor AAMVA has entirely fulfilled its responsibility of securing\nthe systems that house conviction data on America\xe2\x80\x99s commercial drivers\xe2\x80\x94the\n\n4\n    Beginning on September 30, 2005, notification to another state of traffic violations was required within\n    30 days of conviction. States must post a conviction to a driver history record within 10 days of the\n    conviction if it occurred in the same state (49 C.F.R. \xc2\xa7 384.225(c)), or within 10 days of receipt of the\n    notice of conviction if it is from another state (49 C.F.R. \xc2\xa7 384.209(c)). Information on some drivers\n    within the sample was missing. For example, the date that the conviction record was added to DMV\n    driver history was not always present, therefore restricting our analysis of timeliness. We estimate with\n    90-percent confidence that 15 percent of current CDL-holders have missing information in CDLIS, or\n    about 75,000 out of an estimated 500,000. (Margin of error for estimates is +/-5 percentage points for\n    current CDL-holders with out-of-state convictions, and +/\xe2\x80\x9314 percentage points for not posting current\n    CDL-holder convictions in a timely manner and for current CDL-holders with missing information.)\n\x0c                                                                                                       5\n\nindividuals entrusted with the safe conveyance of our trucks and buses. In\naddition, some of the states we visited have likewise not entirely fulfilled this\nresponsibility.\n\nFMCSA has not enforced the CDLIS-Access requirement that systems be\naccredited as adequately secured, nor has it included CDLIS-Access in its systems\ninventory. The Office of Management and Budget (OMB) requires that systems\nbe inventoried and authorized (i.e., accredited) as adequately secured before\nbeginning or significantly changing system processing, and reauthorized at least\nonce every 3 years. 5 Yet the contractor managing CDLIS-Access\xe2\x80\x94used by state\ninspectors and FMCSA personnel to access state DMV commercial-driver\nrecords\xe2\x80\x94was unaware that this requirement existed. In addition, we were unable\nto locate any contract provision that required the contractor to certify or accredit\nCDLIS-Access. We found two weaknesses in CDLIS-Access that could have\nbeen identified in the accreditation process: (1) user names and passwords were\nbeing transmitted without encryption, and (2) the Web site was vulnerable to\ncertain hacker attacks. 6 As a result, CDLIS-Access has increased exposure to\nintrusion.\n\nFurther, FMCSA has recognized the need to implement Federal security standards\nfor CDLIS and has signed a memorandum of understanding with AAMVA (dated\nJune 2008) requiring certification and accreditation of the system. However, no\ncompletion date was specified in the agreement, and to date, certification and\naccreditation have not been completed. Until completion of proper certification\nand accreditation, FMCSA will continue to lack a crucial management control to\nensure that systems are properly assessed for security risk, have been\nindependently tested, and that weaknesses have been identified and sufficiently\nmitigated. According to FMCSA management, they are working on the\ncertification.\n\nOn the state level, for five of the nine DMVs in our sample, security policies were\neither nonexistent or had not been finalized. Federal laws, regulations, and\nguidance provide for the development of security policies to protect the\nconfidentiality, integrity, and availability of data. While recognizing state\nsovereignty and that Federal requirements are not mandatory upon state DMVs, it\nwould be prudent for states to develop and enforce an information security\nprogram. State officials reported that they had not developed comprehensive\nsecurity policies due to a lack of resources, changes in separation of system\nresponsibility between the state and DMV, and the absence of an established state-\nlevel approach to security requirements. Regardless, without adequate and\n5\n    Security of Federal Automated Information Resources, Circular A-130, Appendix III, February 8, 1996.\n6\n    We shared specifics of these vulnerabilities with FMCSA during the audit to facilitate its corrective\n    actions.\n\x0c                                                                                                 6\n\ncomprehensive information security policies, states cannot establish or maintain an\neffective information security program that provides direction to users, enforces\ncompliance, and ensures that security risks are reduced in a cost-effective manner.\n\n\n\nFMCSA AND STATE DMVs LACK COMPREHENSIVE\nCONTINGENCY PLANS AND EVIDENCE OF TESTING\n\nFMCSA does not have a contingency plan for CDLIS-Access, nor has it ever\nconducted a disaster recovery exercise for this system. According to the National\nInstitute of Standards and Technology (NIST), effective contingency planning and\ntesting are essential to mitigating the risk of system and service unavailability. 7\nWhile FMCSA management cites funding constraints, it is incumbent upon\nmanagers to allocate resources needed to implement departmental requirements.\nUntil a contingency plan has been developed and tested, no assurance exists that\nusers of this system\xe2\x80\x94about 5,000 state roadside inspectors and 900 FMCSA\npersonnel\xe2\x80\x94will have timely access to state DMV CDL records in the event of a\ndisaster.\n\nSimilarly, of the nine sample states reviewed, five could not provide contingency\nplan documentation or evidence that testing had been performed to ensure that\ntheir licensing systems could be recovered following a disaster. DMV officials\ncited prioritization of needs, changes in separation of system responsibility\nbetween state and motor vehicle administrations, and lack of standardized state\nrequirements as reasons. In addition, according to these officials, the loss of use\nof their systems would have limited impact on their operations because they could\nrevert to manual processing or even suspend issuance of licenses. Still, without\nviable and tested contingency plans, states may be unable to provide timely and\ncomplete conviction data to other states in the event of a severe or extended\ndisruption, prolonging the period during which unsafe drivers may remain on the\nroad.\n\n\nCONCLUSIONS\n\nSafety is the top priority of the Department of Transportation. Ensuring that\nconvictions are posted in a timely manner would improve safety by enabling or\nfacilitating timely removal of problem drivers from our highways. This will be\nmore successful as CDLIS and DMV systems are better secured and system\n\n7\n    Contingency Planning Guide for Information Technology Systems, Special Publication 800-34, June\n    2002.\n\x0c                                                                               7\n\ncontingency planning and testing become realities. Yet improving safety must be\na cooperative venture between and among all stakeholders, including states,\ncourts, the Federal Government, and partners such as AAMVA. And while efforts\nto improve safety through better oversight and coordination continue as CDLIS is\nmodernized, it will be important to balance such actions against the necessity of\nsecuring driver privacy.\n\n\nRECOMMENDATIONS\n\nWe recommend that the Acting Deputy Administrator, FMCSA, direct the\nAssociate Administrator for Enforcement and Program Delivery to:\n\nTimeliness of Posting of Convictions:\n\n   1. Require action plans from states to address tardiness in posting of\n      convictions. Such plans should identify specific state problems in dealing\n      with the courts, suggest solutions to these problems, and time frames by\n      which the problems will be resolved or mitigated.\n\nSecurity Policies and Procedures:\n\n   2. Complete the certification and accreditation of the CDLIS-Access system\n      and add it to the FMCSA and DOT system inventories.\n\n   3. Implement, in conjunction with the FMCSA Chief Information Officer\n      (CIO), a proper encryption mechanism on CDLIS-Access to protect user\n      credentials while data are in transit.\n\n   4. Correct, in conjunction with the FMCSA CIO, the intrusion vulnerabilities\n      in CDLIS-Access.\n\n   5. Require AAMVA to complete the certification and accreditation of CDLIS\n      as required by the memorandum of understanding between FMCSA and\n      AAMVA.\n\n   6. Promote and communicate to DMVs the need to establish security policies\n      and procedures for safeguarding CDL information as part of CDLIS\n      modernization.\n\nContingency Planning and Testing:\n\n   7. Prepare, in conjunction with the FMCSA CIO, contingency plans for\n      CDLIS-Access, in accordance with OMB and NIST guidance.\n\x0c                                                                                 8\n\n      8. Perform, in conjunction with the FMCSA CIO, disaster recovery testing of\n         the CDLIS-Access system.\n\n      9. Promote and communicate to DMVs the need to perform periodic\n         contingency testing for their licensing systems.\n\n\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\nWe provided FMCSA with our draft report on June 8, 2009, and received its\nresponse on July 22, 2009. FMCSA concurred with all nine recommendations\nand discussed appropriate planned actions and target completion dates. FMCSA\xe2\x80\x99s\nresponse is included in its entirety in Appendix A.\n\n\n\nACTIONS REQUIRED\nManagement actions taken and planned are responsive to our recommendations,\nand are considered resolved subject to follow-up provisions in DOT Order\n8000.1C.\n\nWe appreciate the courtesies and cooperation of representatives from the Federal\nMotor Carrier Safety Administration, and state DMV personnel who participated\nduring this audit. If you have any questions concerning this report, please call me\nat (202) 366-1407 or Louis King, Program Director, at (202) 366-4350.\n\n                                          #\n\n\ncc:      Chief Information Officer, DOT\n         Martin Gertel, M-1\n         Karen Lynch, MC-TRS\n\x0c                                                                                                                   9\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nCDLIS is an archival database containing Social Security numbers, dates of birth,\nnames, drivers\xe2\x80\x99 license numbers, states of record, and aliases for about 13 million\ncommercial drivers. These records identify active or expired commercial driver\xe2\x80\x99s\nlicense (CDL)-holders, drivers applying for CDL licenses, and drivers convicted\nof driving a commercial vehicle without a valid commercial driver\xe2\x80\x99s license. In\norder to identify, to the extent possible, the number of individuals holding an\nactive CDL who also had one or more traffic convictions, we matched CDLIS\ndrivers to the National Driver Register (NDR). 8 From this match, we selected a\nstatistically valid sample in two stages. In stage 1 we selected nine out of 51\njurisdictions (the 50 states plus the District of Columbia) and in stage 2 we\nselected 253 out of 804,523 commercial drivers with out-of-state convictions. The\nnine states selected were California, Massachusetts, Mississippi, Missouri, New\nJersey, New York, Oklahoma, Tennessee, and Texas. The figure depicts this\nprocess.\n\n    Figure. Selection of Commercial Drivers with Convictions from\n                            Other States\n\n\n\n              NDR\n\n                               Driver                    Drivers with\n                                                                                            Drivers with\n                               Extract                   out-of-state\n                                                                                            out-of-state\n                             2.6 million                 convictions                                    a\n             CDLIS                                                                          convictions\n                                                          804,523\n                                                                                                253\n            13 million\n\n             Data Match                              Out-of-State                              Sample\n          (SSN, Name, DOB)                         Conviction Match                           Selection\n                                                                                              (9 states)\n            CDLIS data are                  An additional match is performed\n         matched against NDR               to identify drivers with out-of-state   We statistically selected 253\n         data to identify drivers                       convictions.                drivers out of the 804,523\n            with a potential                                                                  drivers\n               conviction.\n\n    a\n        Drivers with out-of-state convictions were chosen specifically as CDLIS is the primary method of\n        exchanging conviction data between states. (Source: OIG)\n\n\n\nWe made site visits to the nine states from May through July 2008 to determine\nthe timeliness of processing conviction data for each driver in our sample. To\naddress timeliness, we analyzed all convictions for each driver\xe2\x80\x99s history record\nfrom 2005 through 2008 and compared the time it took from the date of conviction\n\n8\n    NDR is a central register that enables state DMV officials to exchange information on problem drivers in\n    each state.\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                                  10\n\n\nreported by the court to the date that the conviction was posted to the driver\xe2\x80\x99s\nrecord by the DMV. We conducted detailed observations, discussions, and\nreviews of policies and practices for the processing of traffic convictions,\ntransmission of information to other states, problem resolution, and security\ncontrols established for protection of driver data. In each of the states we also\ncompared specific Federal CDL regulations with the states\xe2\x80\x99 internal policies and\npractices for processing conviction data.\n\nTo assess the integrity of the state\xe2\x80\x99s system, we reviewed the CDL oversight\npractices, focusing on those relating to computer issues, by interviewing FMCSA\nofficials and state CDL program officials at state offices, and reviewing\ndocumentation including CDL program reviews, correspondence between FMCSA\nand state officials, status reports from states to FMCSA on unresolved compliance\nissues, and other related documentation. Additionally, we assessed the integrity of\nthe DMV system controls in processing the convictions by specifically focusing\non the translation of state-of-record conviction codes to uniform Federal codes,\nand ensuring that this was being done accurately.\n\nTo address our objective on security, we used NIST security guidance as our\nbaseline for best practices. While recognizing state sovereignty and that Federal\nrequirements (including NIST\xe2\x80\x99s) are not mandatory upon state DMVs, it would be\nprudent for states to develop and enforce an information security program. We\nreviewed the state\xe2\x80\x99s information system security control policies and procedures;\nobserved controls in operation (which included selecting a judgmental sample of\nitems); and held discussions with officials at the state data center and motor\nvehicle administration to determine whether controls were in place, adequately\ndesigned, and operating effectively. Finally, we reviewed the information security\npractices at the contractor sites to assess whether they were consistent with Federal\ncertification and accreditation requirements.\n\nThe audit work was performed between December 2007 and July 2008. We\nconducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform\nthe audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\n\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                       11\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\nName                               Title\n\nLouis C. King                      Program Director\n\nMichael Marshlick                  Project Manager\n\nMichael P. Fruitman                Writer-Editor\n\nAtul Darooka                       Information Technology Specialist\n\nAnthony Cincotta                   Information Technology Specialist\n\nMartha Morrobel                    Information Technology Specialist\n\n\n\n\nExhibit B: Major Contributors to this Report\n\x0c                                                                                                           12\n\n           APPENDIX A. MANAGEMENT RESPONSE\n\n\n\n\n           Memorandum\n           U.S. Department\n           Of Transportation\n\n           Federal Motor Carrier\n           Safety Administration\n\n\n\nSubject:   INFORMATION: Response to the OIG Draft Report            Date:\n                                                                               JUL 22 2009\n           \xe2\x80\x9cAudit of the Data Integrity of the Commercial\n           Driver\xe2\x80\x99s License Information System (CDLIS),\xe2\x80\x9d\n           08F3003F000\n\nFrom                                                                Reply      MC-PRS\n                                                                    to\n           Rose A. McMurray                                         Attn: of\n           Acting Deputy Administrator\n\nTo:        Rebecca C. Leng\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n\n           The Federal Motor Carrier Safety Administration (FMCSA) reviewed the Office of Inspector\n           General (OIG) draft report \xe2\x80\x9cAudit of the Data Integrity of the Commercial Driver\xe2\x80\x99s License\n           Information System (CDLIS)\xe2\x80\x9d and concurs with the recommendations. The commercial driver\xe2\x80\x99s\n           license (CDL) program supports the Agency\xe2\x80\x99s mission by ensuring that only qualified and safe\n           drivers operate commercial motor vehicles and continuously identifies the most effective\n           strategies for improving driver safety. Based on the 2008 statistics recently released by the\n           National Highway Traffic Safety Administration, the number of overall traffic fatalities reached\n           its lowest level since 1961. Similarly, an early estimate of motor vehicle fatalities for the first\n           quarter of 2009 shows that this favorable trend has continued into the current fiscal year. Large\n           truck fatalities were down more than 12 percent in 2008 from 2007, and the large truck fatality\n           rate per total vehicle miles of travel reached the lowest level ever recorded.\n\n           The FMCSA implemented several measures to strengthen the CDL program, and additional\n           refinements related to CDLIS data, security, and modernization are in progress. It should be\n           noted, however, that the Agency has limited authority to mandate Federal information technology\n           security standards for the States. Further, the Agency must coordinate with 51 jurisdictions that\n           do not have uniform traffic violation standards, unified court systems, standard electronic\n           reporting methods, or statutes mandating the 10-day requirement for reporting CDL conviction\n           data. The Agency is continuing to work with the States to address these challenges and\n           strengthen CDL program oversight.\n\n           RECOMMENDATIONS AND RESPONSES\n\n\n           Appendix A: Management Response\n\x0c                                                                                                13\n\n\n\nRECOMMENDATION 1: Require action plans from states to address tardiness in posting\nof convictions. Such plans should identify specific state problems in dealing with the courts,\nsuggest solutions to these problems, and time frames by which the problems will be resolved\nor mitigated.\n\nRESPONSE: Concur. As part of FMCSA\xe2\x80\x99s comprehensive CDL Compliance Reviews, States\nare required to submit corrective action plans to the Agency to address challenges, including\nmeeting the timeliness requirement. Beginning in FY 2010, the Agency will provide each State\nwith a quarterly report reflecting its compliance with the timeliness requirement, and a\ncomparison with the other States.\n\nThe Agency will also communicate to States the importance of achieving compliance with the\ntimeliness requirement during the CDL Information Technology (IT) Users Workshop, scheduled\nfor September 2009, and the CDL Coordinators Meeting, tentatively scheduled for February\n2010. Written guidance is being developed, and will be available in September 2009 on the\nFMCSA and American Association of Motor Vehicle Administrators (AAMVA) web sites.\n\nRECOMMENDATION 2: Complete the certification and accreditation of the CDLIS-\nAccess system and add it to the FMCSA and DOT system inventories.\n\nRESPONSE: Concur. The Agency is currently reviewing the certification and accreditation\n(C&A) package for the CDLIS-Access system, which is hosted by a contractor, and anticipates\nadding it to the FMCSA system inventories by the end of FY 2009. The FMCSA informed the\ncontractor that the CDLIS-Access system will be monitored by FMCSA, and must meet the\nrequirements of the Office of Management and Budget Circular Number A-130, Management of\nFederal Information Resources.\n\nRECOMMENDATION 3: Implement, in conjunction with the FMCSA Chief Information\nOfficer (CIO), a proper encryption mechanism on CDLIS-Access to protect user credentials\nwhile data are in transit.\n\nRESPONSE: Concur. The FMCSA directed its contractor to implement a proper encryption\nmechanism to protect user credentials. The contractor has initiated the purchase of a third-party\ndigital certificate to meet encryption requirements, and will reconfigure the information system to\nutilize the protocol for encrypting web authentication traffic by the end of FY 2009.\n\nRECOMMENDATION 4: Correct, in conjunction with the FMCSA CIO, the intrusion\nvulnerabilities in CDLIS-Access.\n\nRESPONSE: Concur. By incorporating CDLIS-Access into the FMCSA Information System\nContinuous Monitoring Program, FMCSA\xe2\x80\x99s contractor will be required to report to FMCSA the\nstatus of remediation activities on emerging cyber threats and vulnerabilities. By the end of FY\n2010, FMCSA will initiate weekly application and vulnerability scans on the CDLIS-Access\ninformation system. The FMCSA Information System Security Officer (ISSO) and the contractor\nwill review scan result reports and deploy recommended fixes.\n\nRECOMMENDATION 5: Require AAMVA to complete the certification and accreditation\nof CDLIS as required by the memorandum of understanding between FMCSA and\nAAMVA.\n\n\n\nAppendix A: Management Response\n\x0c                                                                                             14\n\n\nRESPONSE: Concur. The FMCSA will continue to work with AAMVA to ensure that C&A\nactivities are accomplished in a timely manner. The AAMVA is currently on target to complete\nthe C&A of CDLIS by the end of calendar year 2009. Additionally, FMCSA and AAMVA have\nrecently agreed on an independent certification agent that will perform testing in accordance\nwith commercial and Federal standards. The certification agent will evaluate the operational,\nmanagement, and technical security requirements to determine the extent to which the controls\nare properly implemented, are operating as intended, and meet the system security requirements.\n\nRECOMMENDATION 6: Promote and communicate to DMVs the need to establish\nsecurity policies and procedures for safeguarding CDL information as part of CDLIS\nmodernization.\n\nRESPONSE: Concur. The FMCSA CDL Division, FMCSA ISSO and AAMVA\xe2\x80\x99s IT Security\nOfficer will develop an action plan that promotes safeguarding CDL data as part of the CDLIS\nModernization communication plan. The Agency anticipates completing the action plan by the\nend of calendar year 2009. Information developed as a result of the plan will be posted on\nFMCSA and AAMVA web sites. The Agency will also share with the States the importance of\nsafeguarding CDL information as part of the CDL IT Users Workshop, scheduled for September\n2009, and the CDL Coordinators Meeting, tentatively scheduled for February 2010.\n\nRECOMMENDATION 7: Prepare, in conjunction with the FMCSA CIO, contingency\nplans for CDLIS-Access, in accordance with OMB and NIST guidance.\n\nRESPONSE: Concur. Once CDLIS-Access is fully accredited, FMCSA will incorporate the\nsystem into its FISMA-compliant Information System Continuous Monitoring Program. The\nprogram, which operates in accordance with OMB and NIST guidance, includes continuity of\noperations, disaster recovery, and contingency planning. As part of the program, a contingency\nplan will be developed in accordance with scheduled security reporting, as documented in the\nPlan of Action and Milestones (POA&M). The POA&M will identify the tasks that must be\naccomplished, the resources required to perform these tasks, the milestones needed to achieve\nthese tasks, and the scheduled completion dates for the milestones. FMCSA will ensure a\ncontingency plan is prepared for CDLIS-Access in accordance with the POA&M and anticipates\ncompleting the plan, contingent on resources and agency priorities, by the end of FY 2010.\n\nRECOMMENDATION 8: Perform, in conjunction with the FMCSA CIO, disaster\nrecovery testing of the CDLIS-Access system.\n\nRESPONSE: Concur. Once CDLIS-Access is fully accredited, FMCSA will work with the\nCDLIS-Access contractor and AAMVA to ensure that viable disaster recovery plans are\nmaintained and, if necessary, updated in order to support the mission objectives during an\nunforeseen outage. This includes reviewing contingency plans and participating in scheduled\ndisaster recovery contingency plan test exercises. Accordingly, FMCSA will perform disaster\nrecovery testing of the CDLIS-Access system, contingent on resources and agency priorities, by\nthe end of FY 2010.\n\nRECOMMENDATION 9: Promote and communicate to DMVs the need to perform\nperiodic contingency testing for their licensing systems.\n\nRESPONSE: Concur. The FMCSA ISSO and the CDL Division will develop guidance for\ncontingency testing of State licensing systems as part of the CDLIS Modernization\ncommunication plan. The guidance will inform States of best practices, and will be presented at\n\n\nAppendix A: Management Response\n\x0c                                                                                                  15\n\n\nsuch forums as the CDL IT Users Workshop scheduled for September 2009 and the CDL\nCoordinators Meeting, tentatively scheduled for February 2010. Written documentation\nassociated with this guidance and industry best practices for contingency planning and testing\nwill be made available on the FMCSA and AAMVA web sites.\n\nThe FMCSA appreciates the OIG\xe2\x80\x99s efforts which assist FMCSA in fulfilling its transportation\nsafety goals. If you need additional information or clarification, please do not hesitate to contact\nme, or Jeffrey K. Miller, Chief, Strategic Planning and Program Evaluation Division, 202-366-\n1258.\n\n\n\n\nAppendix A: Management Response\n\x0c'